DistroWatch Weekly

A weekly opinion column and a summary of events from the distribution world

DistroWatch Weekly

DistroWatch Weekly, Issue 144, 27 March 2006

Welcome to this year's 13th issue of DistroWatch Weekly. Following last week's Fedora 5 release, the next few days will be equally exciting: we are expecting KDE 3.5.2, DesktopBSD 1.0. Frugalware 0.4 and the first release candidate of SUSE Linux 10.1. Before that happens, we'll bring you news about MEPIS switching allegiance, Slackware preparing version 11.0, and Debian compiling with GCC 4.1. Also in this week's issue: Ulteo, a new distribution developed by the founder of Mandrake Linux is nearing release, while the user community of PCLinuxOS gets a new community resource. In the review section we'll take a brief look at an intriguing book entitled Mastering FreeBSD and OpenBSD Security. Happy reading!

Listen to the Podcast edition of this week's DistroWatch Weekly in ogg (5.52MB) or mp3 (6.64MB) format(courtesy of Shawn Milo).Join us atirc.freenode.net #distrowatch

As hinted previously, the developers of MEPIS Linux, an easy-to-use distribution for Linux beginners, have switched their base system from Debian to Ubuntu Linux. If the initial tests prove successful, we are likely to see all future releases of SimplyMEPIS based on the distribution which, although derived from Debian, has a more predictable release cycle and an enviable momentum that has already pushed it to the top of many popularity charts. Designed for experienced beta testers, the first experimental release of the Ubuntu-based SimplyMEPIS 6.0 is only available from the project's premium server (starting at US$14.99), although subsequent betas and the final release should be distributed publicly.

Good news for all fans of the oldest surviving Linux distribution: Version 11.0 of Slackware Linux is now available for pre-order from the distribution's online store. Although there is no word on when the new version will be formally released, the store now offers the usual 4-CD set for US$39.95 as well as a single-DVD edition for US$59.95 and a "Slack Pack" edition containing the DVD with the Slackware Essential book (2nd edition) for US$69.95. The current Slackware development tree is based on Linux kernel 2.4.32 (with version 2.6.15.6 in the testing directory), X.Org 6.9.0, KDE 3.5.1, Apache 1.3.34, PHP 4.4.2, MySQL 5.0.18 and the usual range of popular open source software. If you enjoy Slackware, don't miss this major new update!

Over the last two weeks, Debian developer and former Debian Project Leader Martin Michlmayrcompiled the whole Debian archive on a quad-core MIPS machine donated by Broadcom using GCC 4.1. The aim was to find problems in GCC 4.1 itself and bugs in free software projects exhibited by GCC's increased standards conformance (in particular regarding C++ code). By compiling about 6200 packages, over 500 new bugs have been discovered and submitted, 280 of which are specific to the increased strictness of GCC 4.1. In a posting to the Debian development list, Martin classified the bugs he found and offered some useful links to programmers of C++ code. In a posting to the GCC list, he proposed that GCC should only produce new errors after warnings have been shown for at least one release, giving programmers more time to fix their code. This work is part of his research on quality in free software carried out at the University of Cambridge and sponsored by Google.

Last week's news about Ulteo, a new distribution being developed by the freshly unemployed Gaël Duval, has piqued the curiosity of many Linux users. As a result of the buzz, a French web site called NetEconomie expanded on the story by interviewing Monsieur Duval (the link is in French). Although the well-known founder of Mandrake Linux does not seem quite ready to reveal the finer details of the new product just yet, he does disclose that it will focus on ease of use throughout all the facets of the distribution, not just the user interface and that it will be designed for Internet-connected computers in the home and in small offices. Despite the "dot-com" nature of the distribution's domain, Gaël Duval promises that Ulteo will remain a free project, with the business model based on selling associated services rather than the distribution itself. The first beta of Ulteo is expected to be released in May 2006.

A new web site for the PCLinuxOS user community has been launched. Called My.PCLinuxOS, it promises to deliver an organised platform for the development of sub-projects that fall within the PCLinuxOS umbrella, and provide a unified system for creating user manuals, documentation and other relevant material: "We would like to help foster positive involvement within PCLinuxOS for users of all experience levels. We have areas for distributing user contributed software packages, submitting news and HOWTO articles, project newsletters, and areas for project development. No project is too small or large…." While still in its infancy, the new web site is already functional, with forums now ready for your input and the FAQs also starting to take shape. For more information please read the initial announcement and visit MyPCLinuxOS.com.

Following all the excitement surrounding the announcement of Fedora Core 5 last Monday, this week promises to continue the trend of new, interesting software releases. An update to the popular KDE desktop, version 3.5.2, is now available for Kubuntu (Breezy Badger and Dapper Drake), so the official release announcement can't be too far away now. A major milestone in the development of SUSE Linux 10.1 is expected on Thursday when the first release candidate should give us a good indication about the quality and stability of the new version. Looking through some of the mirror sites earlier today, we also spotted a couple of "wget-watering" and (as yet) unannounced distribution releases: after several release candidates, the CD and DVD images of DesktopBSD 1.0 are now available from a number of FTP and HTTP servers, while those of Frugalware Linux 0.4, officially scheduled for release later this week, have now also started appearing on the project's download sites. Expect the official release announcements of both later in the week.

DesktopBSD 1.0 - although not yet announced, the ISO images of the project's first stable release started appearing on mirrors on Sunday. (full image size: 722kB, resolution: 1280x1024 pixels)

Finally, a handful of links for those moments when you just want to sit back, relax, and have a good laugh. The first one is meant to dispel the myth that software bug reports provide only boring, highly technical information completely detached of any human emotions. As proven by Bug #330884, the developers and users of Firefox are far from that; in fact some of them are trying to save a 5-year old relationship wrecked by a bug in Firefox that gave away a partner's dark secret - some frequently visited password-protected sites, some of which were a little, er, embarrassing, to say the least. The Register caries a similar story. In the meanwhile, here is a hilarious email exchange between the lead developer of CentOS and the City Manager of Tuttle, Oklahoma, USA, who mistook the default Apache welcome page for an attempt by CentOS to hack the city's web site, even threatening to hand the matter over to the FBI! Last but not least, don't miss the Guy's Guide to Geek Girls, a step-by-step HOWTO explaining the art of attracting, dating and "maintaining" geek girls. Enjoy!

Book review: Mastering FreeBSD and OpenBSD Security

Book review: Mastering FreeBSD and OpenBSD Security

I have to admit that one of my biggest Internet-related fears is that I wake up one morning to find this site's web server security mechanism cracked and its web pages defaced. This paranoia further accelerates every time I dare to open the auth.log file and start wading through the ever increasing lines indicating that someone somewhere, at this very moment, is attempting a dictionary attack on the SSH server, or when I browse through the tcpdump output providing information about the number of times somebody tried to force their way in through a presumably water-tight port. As a result of this anxiety -- and also to improve my sleep -- I decided to do something: I invested in a copy of O'Reilly's Mastering FreeBSD and OpenBSD Security by Yanek Korff, Paco Hope and Bruce Potter.

Published in March 2005, this 450-page book is divided into three main sections: Security Foundation, Deployment Situations, and Auditing and Incident Response. While some security experts would be able to use the publication as a reference book, the majority of readers targeted by the authors will be wise to read it from the beginning, at least the chapters that are devoted to general security concepts. As the early chapters explain, system security is not a goal, but a journey; it's not something that you attain and forget about - instead, it's a never-ending state of alertness that may at times require fast reaction, lateral thinking and even calculated risks. That's because every security measure implemented on a computer system brings a trade-off. Devising an air-tight security system may indeed give the administrator fewer sleepless nights, but it can also reduce productivity of those users who have legitimate reasons to access the system.

But let's get back to the book. After going through the eye-opening early chapters, it covers the basic building blocks of a BSD system, such as security aspects of sysctl, chroot and jail (the two words that have become synonyms in Linux, but which mean two very different things in FreeBSD), inherent security mechanisms, cryptography and OS tuning. Chapter 3 then goes beyond these elementary concepts by introducing hardening techniques (e.g. sudo, turning off services, and system updates). The first section of the book is then concluded by discussing secure administration techniques, such as access control, network services and system health monitoring. This I found to be perhaps the most valuable chapter of the entire book - not only it covers excellent techniques for organising users, limiting access and dealing with passwords, it also gives many useful tips and warnings over potential pitfalls of granting users seemingly innocent privileges.

The next three chapters deal with practical considerations affecting the most common servers in existence - DNS, mail and web. As anybody who has run Sendmail, Postfix or qmail knows, mail server attacks have become very common in recent years and have been used as gateways to the entire system, or as mail transfer agents for delivering spam. The chapter shows how to guard against malicious mail server attacks and how to reduce the amount of spam delivered to the system's mail boxes. It deals extensively with both Sendmail and Postfix, but qmail users will find it unfair that their mail server is given no more than two paragraphs. Web server attacks are also covered in great detail, together with some advanced prevention techniques, such as the above-mentioned jails.

Next, it's all about firewalls and intrusion detection. OpenBSD's PF (which has since been ported to FreeBSD) is covered in some detail, although a better book to learn all there is about this excellent firewall is Absolute OpenBSD by Michael W Lucas. The last two chapters of the book are devoted to managing audit trails, incident response and forensics. I decided to skip these for the time being - not only I had been overwhelmed by all the new information I had to absorb in the preceding nine chapters, I haven't had a reason (knock on the wood) to learn about recovering compromised systems. But with ever increasing levels of Internet vandalism, it's great to know that a good resource is available as part of this great book.

Anything that could have been done better? Looking through some reader comments on Amazon.com and other forums discussing the book, it was generally very well received. The only aspects that were somewhat disappointing were the above-mentioned neglect of qmail, a rather superficial discussion on firewall failover techniques with CARP (Common Address Redundancy Protocol) and pfsync, and the omission of OpenBSD's systrace. But since this is the book's first edition, let's hope that the authors will expand the next one by incorporating the above topics.

So, will Mastering FreeBSD and OpenBSD Security make your server impenetrable? Of course not. But if you pay attention to some of the security concepts, implement a few security ideas specific to your situation, and understand the risk versus convenience trade-off, you will definitely sleep more soundly. You will be equipped with valuable knowledge that will give you confidence in preventing and dealing with common Internet malice. A great book indeed.

The eagerly anticipated Fedora Core 5, code name "Bordeaux", has been released: "The Fedora Project is pleased to announce the release of Fedora Core 5. New desktop applications, advances in security, better localization tools, improved software installation and management facilities and strong Java integration help to make Fedora Core 5 the most innovative Linux distribution ever." For more details please read the release announcement, release summary and release notes.

CentOS 4.3

CentOS, a community distribution built from source packages for Red Hat Enterprise Linux, has been updated to version 4.3: "The CentOS development team is pleased to announce the availability of CentOS 4.3. Major changes in this version of CentOS include: upgraded update system - this new system provides more that 100 total mirrors for updates and picks geographically close and non-stale mirrors based on our master server's content; Frysk, InfiniBand Architecture (IBA), and z/VM hypervisor issues are discussed in the upstream release notes; updated and added packages." Read the full release announcement for additional information.

AliXe 0.04

AliXe is a French Canadian Linux live CD based on SLAX. The new version 0.04, released yesterday, is derived from SLAX 5.0.7b with a number of newly updated packages; these include Linux kernel 2.6.15, X.Org 6.9.0, KDE 3.5.0, OpenOffice.org 2.0.1 (replaces KOffice), GIMP 2.2.10, Firefox 1.5.0.1 and Thunderbird 1.5. Two keyboards are supported: Canadian French and Canadian multilingual. A "copy2ram" option is available on systems with the minimum of 512 MB or memory. Please refer to the release announcement and visit the project's home page (both links in French) for further details.

B2D Linux 20060321

Taiwan's B2D project has released a new KNOPPIX-based live CD that includes both KDE (3.5.1) and GNOME (2.12) on a single CD. Called "PureKGB", the new version combines the best software from the two major desktop environments, although due to space restrictions, some applications, notably OpenOffice.org, Nvu and Mozilla Thunderbird, had to be left out from the CD. These can be installed through the "Klik" infrastructure. Apart from this major change, the previously reported midi playback bug in Rosegarden has also been fixed. Please read the release announcement (in Chinese) for more information and screenshots.

SLAX 5.0.8

SLAX, a popular live CD based on Slackware Linux, has been updated to version 5.0.8: "It's my pleasure to let you know that SLAX 5.0.8 has been released. All users are strongly encouraged to upgrade, because all new modules created from now are not readable in older SLAX releases. What's new? The long-awaited SLAX Server Edition is finally available; all other editions are updated too; 2.6.16 Linux kernel; fixed bug in mounting of DOS partitions (long file names work now); the 'uselivemod' and 'configsave' features work again." See the distribution's changelog for more details.

Ehad 2006

Ehad is a single-CD, Mandriva-based distribution designed for the speakers of Hebrew. A new major version was released over the weekend. What's new? "Based on Mandriva 2006.0 packages; includes all official updates released until 25-Mar-2006; OpenOffice.org 2.0 (Hebrew version from official project with hspell and Culmus); removed KOffice; the full range of desktop applications are now installed as default; Ehad desktop, boot and LILO theme; local packages: ehad-media (define software repositories with ease) , ehad-guide (a guide for Israeli Internet Connectivity), ehad-radio (Hebrew Internet Radio launcher), hocr (Hebrew OCR), hdate (Hebrew calendar), Anka (new type-1 font from 'culmus fancy' series)." Read the release announcement (in Hebrew) and release notes for more details.